FREQUENTLY ASKED QUESTIONS

Ans: If you access EDB Portal at EDB Offices, it will automatically launch the EDB Portal Home Page via https://portal.edb.gov.hk if you have already logon Windows Domain. In other words, no further logon is required.

You will have the same experience when you logon the EDB Portal via FortiClient VPN.

Ans: You have to click the sign-out option at the top right corner of EDB Portal Home. Remember to close all the browser windows after your successful logout.

Since it will automatically logon again via Windows Domain Logon, please be reminded to lock your screen if your workstation is temporary unattended. Remember to sign-out your Windows when you leave your workstation for a prolonged period of time.

Ans: By default, you can automatically logon EDB Portal via your domain username and password. However, if a logon box is prompted, please verify the following setting on your Internet options from the control panel. Highlight Local Intranet and click the Custom Level, then ensure that the "Automatic logon only in Intranet zone" is selected.

Ans: By default, you will logon EDB Portal on behalf of your domain account. If you would like to logon on behalf of other account, you have to enable your browser to prompt the logon box as follow:

Go to the Internet options from the control panel. Highlight Local Intranet and click the Custom Level, then select that the "Prompt for user name and password".

Then a logon box will prompt for your next logon, you can logon on behalf of other account.

Ans: It supports popular browsers including Chrome, Internet Explorer, Microsoft Edge etc. However, to maintain the SSO experience at EDB Office, Firefox is required to apply the settings with the following steps.

i. Start Firefox and in the address bar, type about:config.
ii. At the prompt that warns to proceed with caution, agree to continue.
iii. Search for each setting in the following table and provide the value indicated.

Note: These steps are not required if you access EDB Portal via VPN.

Ans: If you access EDB Portal via Internet, you must logon the VPN first. You can simply access via https://portal.edb.gov.hk, and it will redirect to VPN logon page. You have to pass the 2 factors authentication.

Use your DEFAULT BROWSER to logon EDB Portal.

Please remember to logout both EDB Portal & VPN at top right corner of Sign Out option stated in Question 2.

Note: FortiClient VPN users have the same user experience as at EDB office and do NOT require VPN access.

Ans: Your workstation or notebook must have the following pre-requisite before you can connect to the VPN:

i. Install the VPN client software ii. Install the Government Departmental Portal Certificate

To ease your installation effort on Windows, you can simply download, unzip and run the VPN packaging software to accomplish all the required tasks.

For download software package: https://intranetsup.edb.gov.hk/irooms/help/edbvpn_setup_v3.zip

For details, please refer to the installation guideline as below: https://intranetsup.edb.gov.hk/irooms/help/User_Guideline_for_VPN_Access.pdf

Note: You must install the VPN client by the VPN Packaging Software

Ans: Same as at EDB Office, you must click the sign-out option at the top right corner of EDB Portal Home. Remember to close all the browser windows after your successful logout.

Ans: You must logon VPN first before you access any EDB Portal applications via Internet (https://portal.edb.gov.hk). In other words, all portal resources, except school mail systems, require VPN to access via Internet.

Ans: Below is the support version of Windows & Web browser for your reference.

For Windows 10 1803 in particular, KB4103721 is required for VPN to work properly.

For details: https://support.microsoft.com/en-us/help/4103721/windows-10-update-kb4103721

Please ensure that the latest patch has been applied on your Windows.

Ans: Yes, it supports with Mac OS to access EDB Portal. You need to logon VPN before we can access any EDB resources. You are required to install both VPN clients & DP certificate on your MAC for VPN connection. Please refer to the installation guideline for details. https://intranetsup.edb.gov.hk/irooms/help/VPN_mac.pdf

Ans: Yes, since our VPN packaging software will install the DP certificate into windows certificate store, Firefox would read its own certificate store instead. In other words, it is required to install the certificate manually by yourself:

i. Go to VPN portal: https://intranetsup.edb.gov.hk/irooms/help/vpnforportal.html
ii. Right click 2. RootCA Certificate and choose “save as” to download the certificate.
iii.Open Firefox, go to Options, Security & Privacy
iv. Go to Certificate Section, click view Certificate
v. Then click import, check the box: “Trust this CA to identify websites.” and click OK. The CA certificate will be imported successfully.

Ans: You can change your password by clicking the option at the top right corner of EDB Portal Home.

Ans: Again, you can access EDB Portal via VPN. Mobile app is required to install on your mobile for VPN access. Mobile app has version for both iOS and Android. Please refer to the installation guideline for details.

https://intranetsup.edb.gov.hk/irooms/help/VPN_mobile.pdf

Ans: It is reported that your workstation may fail to connect the VPN if your workstation is installed with some endpoint protection software such as Kaspersky 10 SP1 MR3. However, the problem is resolved after it is upgraded it to Kaspersky 10 SP2 MR3.

Ans: It is probably your workstation failed to install the certificate. You may verify whether the DP certificate is installed properly on your workstation highlighted in blue as below.

1. Click Start, type certmgr.msc in the search field
2. Check whether the certificate "Root CA 256" exists

Such problem could be avoided if you deploy your VPN client via the packaging software. In such case, you are required to uninstall the VPN software (Please refer to Q18 for details) and then install back the VPN via our VPN package.

Ans: e-Leave may be blocked by the popup blocker of browser. It is required to configure your browser under the following steps to enable e-Leave access:

For Chrome:

1. Click the settings from the Google Chrome menu (Icon with the three dots in the upper right corner)

2. Select Privacy and Security at the left panel
3. Click the Site Settings button.

4. Select Pop-ups and redirects.

5. To enable pop-ups on specific sites, check Blocked (recommended) Click Add next to Allow and enter the URL: https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg

6. If it doesn’t work, you may try to disable the pop-up blocker uncheck the Blocked box circled in blue.

For Microsoft Edge:

1. Click the settings from the New Edge menu (Icon with the three dots in the upper right corner)
2. Select Site Permissions at the left panel.
3. Select Pop-ups and redirects.

4. Move the Block toggle to On. Click Add and enter the URL: https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg

For Internet Explorer

1. Click the tools menu from top right corner and select Internet Options.

2. Select the Privacy tab.
3. Click Setting for the Pop-up Blocker.

4. Type https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg to the allowed web site & click Add then Close.

For Firefox

1. Open Firefox browser. Click the Tools menu (the icon of three horizontal lines in the top right of the browser window). Select Options.
2. Select the Privacy and Security Panel.
3. Under the Permission Section, click the Exceptions at the Block pop-up windows.

4. Add https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg as the allowed web sites and save changes.

Ans: Go to Control Panel -> Program and Features. There you can remove your VPN by removing the program “BIG-IP Edge Client Components (All Users)” circled in red as below.

Ans: No panic. The browser session may not terminate properly during the last logon. Please click “here” and you can logon the VPN again.

Ans: There may be several possibilities, such as incompatibility of OS (Q.11) or software (Q.15) with VPN clients. Another possibility is that the VPN adapters of Windows are corrupted. It occasionally happens on the Windows 10 version prior to 1903, such as 1803, 1809, etc. You can fix this by the following steps:

i. Run “devmgmt.msc” and click “OK”

ii. Device Manager will prompt. Under Network Adapters, uninstall all adapters starting with “WAN Miniport” by right click and select uninstall

iii. Once the uninstall is complete, go to the menu bar and select “Scan for Hardware Changes” under “Action”. Those adapters will reinstall automatically without restarting your PC.

Ans: No. Split tunnelling is deployed for our VPN solution. In other words, only traffic which access EDB DP & CCGO resources will be redirected to the EDB network via VPN. User can still browse internet or access any resources on your own network even when the VPN is connected.

Ans: Use passwords with at least 8 characters composed of ALL of the following categories:

• Upper case alphabet (A..Z)
• Lower case alphabet (a..z)
• Digits (0-9)
• Special characters (e.g. !@$)

The last 8 passwords must not be re-used.

Ans: For Android 9 or newer, you are required to turn off Private DNS by go to the network settings -> Connections -> Private DNS and turn it off.

Ans: It is simple to register two factor authentication by going to VPN Portal and click "register 2FA now" under the 2FA Registration Section. Please refer to the guideline for details.

You are required to logon your school mail system to get your QR code for importing the second authentication factor.

Ans: When you switch to a new mobile, you can simply re-scan the QR code that you have previously received to set up the one-time password on your new mobile. If you need us to resend the QR code, click “Resend QR code (for registered only)”. Bring up your old mobile to pass the two factor authentication and then email with your QR code will be sent to you immediately.

Ans: Yes, you can. There is no restriction to setup one-time password on multiple mobile devices.

Ans: If you have lost your mobile, you have to report to Help Desk first and will delete your previous registration. Then you can regenerate a new QR code by clicking “Register 2FA” for your new mobile.

Ans: You are required to modify the path: vpn.edb.gov.hk/2fa and enable the web logon on the app circled in red. Please refer to the installation guideline for details.

https://intranetsup.edb.gov.hk/irooms/help/VPN_mobile.pdf

Ans: Microsoft Authenticator is a two-factor authentication program installed on your mobile. It solely helps you to secure your VPN account by using the industry standard time-based One Time Password (OTP). As a matter of fact, other apps such as Google Authenticator, etc. can also be used to serve the same purpose.

Microsoft Authenticator app collects three types of information:

• Account info that you provide when you add your account. This data can be removed by removing your account.

• Diagnostic log data that stays only in the app until you use Send feedback in the app's top menu to send logs to Microsoft. These logs can contain personal data such as email addresses, server addresses, or IP addresses. They also can contain device data such as device name and operating system version. Any personal data collected is limited to info needed to help troubleshoot app issues. You can browse these log files in the app at any time to see the info being gathered. If you send your log files, Authentication app engineers will use them only to troubleshoot customer-reported issues. If you do not send any log files, the data will not leave your device.

• Non-personally identifiable usage data, such "started add account flow/successfully added account," or "notification approved." This data is an integral part of our engineering decisions. Your usage helps the vendor to determine where they can improve the apps. You see a notification of this data collection when you use the app for the first time. It informs you that it can be turned off on the app's Settings page. You can turn this setting on or off at any time.

Please refer to the following link for further details:

Questions & answers about Microsoft Authenticator app - Azure AD | Microsoft Docs

Ans: As an alternative, you can install a Chrome browser extension by following the user guide. However, it is most common to use a mobile phone with an Authenticator App for 2-factor authentication because it is more convenient and easier to use.

https://intranetsup.edb.gov.hk/irooms/help/User_Guideline_for_Authenticator_as_Browser_extension.pdf

Ans: The Authenticator Chrome extension does not require any extra permissions. It does not have the capability to access other files on the computer. It only generates a 6-digit one-time password using a standard time-based algorithm and the key in the QR code.

Ans: Sometimes, Android mobile encounter out sync of time and will causes your one-time password out of sync with the server. You are required to re-sync your system time again by going to Settings -> System & Devices -> Date and Time -> Use Network Provided Time, then toggle off and on the button.

Note: Different Android version may have a bit different way to reset your time sync.

Ans: Some workstations may fail to redirect the EDB Portal Home Page when they have installed NOD32 ESET client software. Further configuration is required to whitelist our VPN. Please follow the guideline below.

https://intranetsup.edb.gov.hk/irooms/help/ESET_Endpoint_Security_Whitelist.pdf

Ans: Whenever you encounter this error, click Yes and then press Cltr & F5 together. Your browser will refresh and the problem will be probably gone.